Cyber Attack Defenders

Blog

What to look for in a Next Generation Firewall (NGFW)

Your legacy Cisco ASA firewalls are nearing the end of life (EOL) and so now your boss has tasked you with selecting a new firewall solution. You’ve heard that the Next Generation Firewall (NGFW) is the next big thing when it comes to protecting network perimeters, but you really don’t know a lot about it. Where do you start? What do you look for? What questions do you ask?

In this blog entry, I will provide some quick pointers on how to create a list of requirements against which you would evaluate potential NGFW candidates.

If you are starting your requirements development from scratch, an easy place to start is the Payment Card Industry Data Security Standards (PCI DSS) organization. The PCI DSS publication, “Requirements and Security Assessment Procedures,” can be used as a foundation for developing NGFW requirements for your agency. The latest version of the PCI DSS publication is version 3.1 from April 2015. You can download it here.

You can create the language your boss wants to see by copying, pasting, and editing the PCI DSS document. Once that’s done, you will have a bunch of vendors hitting you up for meetings. What questions do you ask these guys to make sure you are getting the right product for your requirements?

At a minimum, your questions should focus on application identification, application policy control, threat prevention, management, networking, and hardware. Here is the list of questions you should ask. Feel free to copy and modify to fit your own procurement needs.

Application Identification (App-ID)

Describe how the gateway will accurately identify applications and the mechanisms used to classify applications.

Is identification based on an intrusion prevention system (IPS) or deep packet inspection (DPI) technology? You want DPI.

If it’s DPI, how is its classification accuracy and completeness? And are there performance issues when App-ID features are turned on?

How is the traffic classification mechanism different from other NGFW vendors?

Can port-based controls be implemented for all applications in the application database?

Can the solution perform traditional firewall-based access controls?

Can policy controls be implemented from a single management interface? For example, Cisco is notorious for having to use ASDM to manage the legacy ASA chassis and FireSIGHT console to manage NGFW features. You don’t want that.

Are users warned when they attempt to access a URL or application that violates policy?

Threat Prevention

Describe the intrusion prevention features and antivirus engine.

List the types of threats that can be blocked. List the file types that can be blocked.

Is data filtering supported?

Can the threat prevention engine scan inside SSL-encrypted traffic? What about compressed traffic?

Is the solution software-based, an OEM server, or a purpose-built appliance?

Describe solution architecture. Is it single-pass, multi-pass? How is data plane and control plane separated?

Phew … what a list! Hopefully this comes in handy. For more help, don’t hesitate to reach out to SwishData. We have a team of engineers available to help you navigate through the NGFW procurement process.